Zero-day vulnerability in Flash being exploited, updates available

Friday, October 16, 2015

Editors note: This bulletin was posted on Oct. 15 and updated on Oct. 16.

Adobe Flash updates available

Many vendors have released patches for applications that use Adobe Flash Player. To see a list of the latest Flash Player version information for commonly used operating system platforms and browsers, please visit:

Adobe states that they expect to make a fix available during the week of Oct. 19.

Impact

Spam messages disguised as international current events stories contain links to URLs hosting the exploit. Clicking these links will run the exploit, which can allow an attacker to gain control of the system without further user interaction.

Platforms affected

Adobe Flash Player 19.0.0.207 and earlier versions for Windows and Macintosh

Adobe Flash Player Extended Support Release version 18.0.0.252 and earlier 18.x versions

Adobe Flash Player 11.2.202.535 and earlier 11.x versions for Linux

Local observations

Updates will be available to the IU community via Secunia CSI and the IU Microsoft Update Service as soon as they are released by Adobe. To date, no active use of the exploit has been reported or observed at IU, but users should exercise caution regardless of network location.

Be wary of links sent in email. Since current use of the exploit is via spear phishing campaigns, take extra caution with links, even those that appear to come from individuals or groups you trust. Best practice is not to click links in emails, but rather to manually navigate to websites yourself.